Jeremiah Grossman: Focus on ransomware, SDLC, and endpoints

With so many elements in information security -- application, network infrastructure, the endpoint, perimeter defenses, and data-centric approaches -- it's easy to fall in the trap of touting one as more important than the other. But it's a mistake to consider information security as a series of silos when it's actually an intersection of different areas. That overlap is most evident with application and endpoint security.

For Jeremiah Grossman, the new chief security strategist at security vendor Sentinel One, application security and endpoint security are just different steps in the kill chain. As the founder and former CTO of the consultancy WhiteHat Security, Grossman has been the go-to-expert for web application security for years, and his new focus on endpoint security at Sentinel One does not mean that he has given up on securing web applications.

Jeremiah Grossman

"From an adversary kill-chain perspective, if we can get the bad guys not to be able to break into the website, great, let's do that. But if we can't, let's makes sure that if the system gets compromised and malware is on it, we can detect it really, really quickly and stop it, or eradicate it," Grossman said.

Many of the latest data breaches began with the adversaries exploiting a vulnerability in a web application, and then pivoting in the network to find other vulnerabilities and weaknesses. The web application is the doorway, but the actual attack happens on the endpoint, whether that's valuable data stored in a database or, in the case of ransomware, documents that could be locked up to demand ransom. Web application security and endpoint security are intricately tied up together, he said.

Back in 2001, when Grossman first started working on web application security, cross-site scripting flaws and SQL-injection errors were rampant, with pretty much every website affected. Fast-forward to 2016, and such attacks are incredibly rare among major sites. Cross-site scripting and SQL injection still exist on many websites, but it's no longer as widespread.

App security still matters, but SDLC has to be done judiciously

Information security professionals frequently talk about inserting security throughout the SDLC (software development lifecycle): Developers adopt secure coding principles and perform regular testing to catch and fix bugs before the application goes to production. The SDLC is a good thing, and more organizations need to adopt the secure development mindset.

But it isn't practical to demand all existing applications be rewritten under the SDLC. Legacy software, which powers the majority of the web and is installed on billions of endpoints around the world, has vulnerabilities. Fixing those flaws is part of what Grossman calls "legacy janitorial work." No company can shoulder the cost of rewriting all their applications and starting over with a secure coding mindset. And then there are all the open source projects out there for which there's often no one to shoulder any such legacy janitorial work.

Microsoft is frequently touted as the poster child for how SDLC makes a difference, but that's an interesting -- and possibly unrepeatable -- case, Grossman said. The Microsoft that said it was going to start over and make its applications more secure was a monopoly, dominated the industry, had strong market share, and had "multiple billions" in the bank to spend on the effort, he noted. That's not the case for most companies faced with the prospect of revamping their software portfolio.

And today, a decade after Microsoft made that commitment, Microsoft itself couldn't likely make that commitment. "No one's going to disagree that the later versions of Windows, from Windows 7 to now, are solid. Microsoft did really good work. But what was the ROI for Microsoft in that?" Grossman said.

Instead of trying to revamping all the software, the effort should be two-pronged: 1) improve the process for remediating vulnerabilities as they are found, and 2) run new code, or actively managed code, through the SDLC.

That doesn't mean just incorporating SDLC elements, but also assessing the effectiveness of the new practices. "After you do a whole bunch of SDLC stuff, does the software actually come out more secure? If so, by how much? And is it worth it?" Grossmand said.

Security investments aren't going where they're most needed

The industry has made progress finding vulnerabilities, but the immensity of the web -- at a billion-plus websites strong -- means the cleanup effort is going to take a lot of time and resources. That means there will be more compromises, attacks, and infections in the meantime.

While the industry focuses the efforts toward fixing vulnerabilities and writing new code, there has to be a parallel effort to improve endpoint security to block the adversaries. "You could compromise a company just by sending an email. That's a pretty attractive route" for criminals, Grossman said.

"The spending models are all backward," Grossman said. Enterprises spend most of their IT budgets on software, followed by endpoints, and very little on networks, whereas the lion's share of the IT security budget goes to perimeter defenses, such as firewalls and endpoint security, and very little is spent on software.

Ransomware must be tackled now, before it's too late

Organizations need to look at what the adversaries are doing and allocate efforts and funding accordingly. And right now, the adversaries are looking at ransomware. The FBI has estimated payments of US$23 million to $25 million were made to ransomware gangs in 2015, but that figure has ballooned to more than $200 million in the first quarter of 2016 alone. That's a staggering growth rate, especially since the latest research indicate ransomware still account for less than 5 percent of overall malware attacks.

While ransomware itself might not account for a big portion of the overall malware scourge, it is a serious problem, and creative minds need to start thinking of new methods and techniques to detect and foil these infections. "While we're still going to have the big malware problem overall, we're going to have another one in the form of ransomware," Grossman predicted.

Worse, it's not as if the general malware problem has been solved: Despite nearly $8 billion to $12 billion spent annually fighting malware, malware is rampant, he said.

Still, the latest anti-ransomware efforts, such as what Grossman will work on as part of his new role at Sentinel One, are an opportunity for information security professionals to get ahead of a problem before it becomes entrenched. There's no need to wait for ransomware to get bigger as a problem before coming up with new solutions. "We always seem to be ambulance chasers. But ransomware, we can see it coming. It's right there," Grossman said.

Grossman believes ransomware will be a billion-dollar market by 2018, and at that point it will be too late to do something about it. "We can fight an uphill battle, but for those who want to get ahead of it, we can do it now," Grossman said.

The web is too valuable not to actively protect

Many in the security industry, whether they came into the field by design or by accident, view the work as a calling. The web is the "greatest invention we'll see in our lifetime," Grossman said, who called it his mission to protect it and the billions of people using it every day.

Whether that's endpoint security or fixing vulnerabilities in web applications, the end result is the same. "I want to be able to protect people, protect websites, protect the web. It's that important. We're all using it today," he said.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.